The Mesh and Directory Role, which installs an OpenLDAP service, is used by Carbonio CE for user authentication and account management.

The OpenLDAP features the ability to use three authentication mechanisms provided by Carbonio CE. The authentication type can be set independently for each domain defined in the Carbonio CE infrastructure.

  1. Local LDAP. The internal authentication method assumes that the LDAP scheme is running on the Carbonio CE server where the Directory Server Role is installed.

  2. External LDAP. The external LDAP authentication method allows to connect to an LDAP server, possibly external to the Carbonio CE infrastructure, using a username and password existing in the external database.

  3. External Active Directory The external Active Directory authentication method involves the use of Microsoft Active Directory services for authentication and Carbonio CE’s Directory Server services for all other transactions.

Both the External LDAP and External Active Directory have as their main requirement that users exist on both servers. Please refer to Section External LDAP for configuration details.

Whenever an external authentication method is configured, it will be used as the default and the local authentication serves as fallback.

Local LDAP#

The default authentication method is local LDAP. This method does not require any specific configuration other than the installation of the Mesh and Directory Role according to the procedure described in the documentation.

External LDAP#

To illustrate how an external LDAP source works in Carbonio CE, we build on the following scenario.

  • Define on Carbonio CE the domain authentication.example.com

  • On an external LDAP server, located at a domain called external_ldap.com exists


    This external source can also be another Carbonio CE.

  • On the external LDAP server a dedicated user exists, that will be used for the LDAP connection (for example service.ldap@external_ldap.com with password a_strong_pwd!)

Our goal is to have the authentication.example.com domain users authenticate with the passwords of the domain accounts external_ldap.com defined on the external ldap server

On Carbonio CE, set up the authentication.example.com domain for authentication on the external LDAP using the command below. Remember to change the values in the scenario with the actual values of your infrastructure!

zextras$ carbonio prov md authentication.example.com \
zimbraAuthLdapSearchBase "ou=people,dc=external_ldap,dc=com" \
zimbraAuthLdapSearchBindDn \
"uid=service.ldap,ou=people,dc=external_ldap,dc=com" \
zimbraAuthLdapSearchBindPassword "a_strong_pwd!" \
zimbraAuthLdapSearchFilter "uid=%u" zimbraAuthLdapURL \

Create three test accounts on the external LDAP domain with username and password:

user1@external_ldap.com password1
user2@external_ldap.com password2
user3@external_ldap.com password3

Finally, we also create 3 accounts on Carbonio CE

zextras$ carbonio prov ca user1@authentication.example.com ""
zextras$ carbonio prov ca user2@authentication.example.com ""
zextras$ carbonio prov ca user3@authentication.example.com ""


Do not provide any passwords in these commands!

If all the steps have been performed correctly, any of the three accounts can login to Carbonio CE using the passwords defined on the respective users of the external LDAP server.